Thanks for pointing to some of the code. I see it does not behave as I thought. Subtle so but with effects that caused me to have an incorrect mental model of what was happening in dev vs. production.
So for production mode, I'm supposed to catch TamperedWithCookie for the entire app, including the auth slice which will not inherit from my Application. Does anyone have sample code for this? I only need simple behavior of "if the cookie is invalid, clear it and create a new empty one". I have looked through the code and it is craftily written to not throw an exception in dev mode (ignore_tampered_cookies = true). By having the crafty solution, there is no path to what to do for production mode. It seems it would be better to throw the exception in all cases where the cookie digest is incorrect and have a stock exception hander set for ignore_tampered_cookies = true. This gives the app developer a very clear path for just plugging/overriding a different handler for production mode. At the moment, I'm at a loss how to stuff this new global behavior into my app. thanks, Jon On Jan 19, 4:21 pm, Roy Wright <[email protected]> wrote: > You might have found this already: > > in config/environments/development.rb > > Merb::Config.use { |c| > c[:ignore_tampered_cookies] = true > > Then search on ignore_tampered_cookies which will find > cookie.rb where TamperedWithCookie exception is raised. > > HTH, > Roy > > On Jan 19, 2009, at 1:58 AM, Jon Hancock wrote: > > > > > now I've pushed some more code into production and retested. In > > production mode I get a proper "Tampered with cookie" error. In > > development mode, it seems to be blissfully ignoring the fact that my > > session_secret_key has changed. > > > This isn't a serious security problem. Now I need to figure out how > > to deal with the production error. The default behavior of showing > > the end user a merb exception page isn't very interesting. What I > > want is to simply throw away the old cookie as it isn't actually > > tampered with. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "merb" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/merb?hl=en -~----------~----~----~----~------~----~------~--~---
